[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [Rivendell] idassert-bind not working as expected?

To: Federico Grau <grauf@rfa.org>
Subject: Re: [Rivendell] idassert-bind not working as expected?
From: Pierangelo Masarati <ando@sys-net.it>
Date: Thu, 17 May 2007 19:32:03 +0200
Cc: openldap-software@openldap.org, rivendell@rfa.org
In-reply-to: <20070516203424.GO1539@rfa.org>
References: <20070516203424.GO1539@rfa.org>
User-agent: Mail/News 1.5.0.8 (X11/20061210)

Your setup, with minor changes (the naming contexts, and the remote
server is OpenLDAP as well) works just fine with current re23 and HEAD
code, using either slapd-meta(5) (why?) or slapd-ldap(5) with
slapo-rwm(5).  So the devil must be in the details.  In any case, since
OpenLDAP 2.3.30 there were at least 10 fixes/ehnahcement to
slapd-ldap(5) and at least 6 to slapd-meta(5), so an upgrade might help.

p.

Federico Grau wrote:
> With minimal information as requested by the moderators multiple times.  Why
> doesn't idassert-bind work as expected?  When I try an anonymous query to an
> "LDAP" server via an OpenLDAP server configured as a proxy (backend meta , or
> backend ldap), the query fails because the OpenLDAP server does not bind (even
> when I try setting the "idassert-bind" option).
> 
>     # sample failed anonymous query to AD via OpenLDAP
>     ldapsearch  -H "ldap://localhost/"; -b "ou=windows,dc=rfa,dc=org" -x
> 
>     # expected query to be performed by ldap server
>  	ldapsearch -H "ldap://dc1.rfa.org/"; -b "cn=users,dc=rfa,dc=org" \
>  		-D "CN=LDAP Proxy user account,OU=Windows,DC=rfa,DC=org" -W \
>  		-x
> 
>     # using (tcpdump -x -s0 port 389) I never see a bind sent from OpenLDAP,
>     # and instead I see an error returned from the "LDAP" server because a
>     # bind not successful.
> 
> 
>     # backend meta portion of the slapd.conf file
>     ##database    ldap
>     database    meta
> 
>     suffix      "ou=windows,dc=rfa,dc=org"
>     uri         "ldap://dc1.rfa.org/ou=windows,dc=rfa,dc=org";
> 
>     suffixmassage   ou=windows,dc=rfa,dc=org
>                     cn=users,dc=rfa,dc=org
> 
>     idassert-authzFrom "dn:*"
>     #Xidassert-bind   bindmethod=simple binddn="ldap-proxy@rfa.org" credentials="222222"
>     idassert-bind   bindmethod=simple binddn="CN=LDAP Proxy user account,OU=Windows,DC=rfa,DC=org" credentials="222222"  mode=none
>     dncache-ttl     60
> 
> 
> 
> My environment is made up of Debian stable (4.0 Etch) on the workstations and
> OpenLDAP server, OpenLDAP 2.3.30-5 on the server.  "LDAP" Server on the remote
> end.
> 
> 
> thank you,
> donfede
> 




Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------

Follow-Ups:
- Re: [Rivendell] idassert-bind not working as expected?
  - From: Federico Grau <grauf@rfa.org>

References:
- [Rivendell] idassert-bind not working as expected?
  - From: Federico Grau <grauf@rfa.org>

Prev by Date: Re: using openldap as a translation layer.
Next by Date: Re: using openldap as a translation layer.
Index(es):
- Chronological
- Thread